Home page logo

bugtraq logo Bugtraq mailing list archives

Re: man bugs might lead to root compromise (RH 6.1 and other boxes)
From: whitis () DBD COM (Mark Whitis)
Date: Sun, 27 Feb 2000 23:48:09 -0500

On Sat, 26 Feb 1994, Michal Zalewski wrote:

With most of Linux distributions, /usr/bin/man is shipped as setgid man.
This setgid bit is required to build formatted manpages in /var/catman for
faster access. Unfortunately, man does almost everything via system()
calls, where parameters are user-dependent, and almost always it's
sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
privledges, using buffer overflows in enviromental variables. For example,
by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get

This might be a side effect of the fix for another security hole.
IIRC, /var/catman/ was world writable allowing for all kinds of symlink
games which would allow ordinary users to do some things as root
(like clobbering files) by laying a trap in /var/catman/ and waiting
for root to run man.

Exploiting this buffer overflow bug to gain man priveledges would then
allow you to exploit the previous bugs as well if root runs "man"
(or possibly the priveledges of any user who runs man).

If you need to run man as root, consider:
   su nobody -c "man ls"             # assumes shell is /bin/bash
Or just switch to another console or window.

The man program was never designed to be secure but having a shared
manpage cache requires man to be secure.  If you disable man page caching,
you should be able to run man without setgid.

---  Mark Whitis <whitis () dbd com>     WWW:  http://www.dbd.com/~whitis/ ---

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]